Merge pull request #152 from ved-rivos/0829

Clarify xSSE and xLPE for a M+U configuration - i.e. when S-mode is not supported
riscv · Sep 1, 2023 · 3bb3d02 · 3bb3d02
2 parents ece1c00 + b812e43
commit 3bb3d02
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 53 deletions.
diff --git a/cfi_backward.adoc b/cfi_backward.adoc
@@ -75,16 +75,20 @@ This chapter specifies the CSR state of the Zicfiss extensions.
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfiss extension introduces the `SSE` field (bit 3) in `menvcfg`. When
-`SSE` field is 1, the Zicfiss extension is enabled in S-mode. When `SSE`
-field is 0, the Zicfiss extension is not enabled in S-mode and the following
-rules apply to privilege modes less than M.
+The Zicfiss extension adds the `SSE` field (bit 3) to `menvcfg`. When the `SSE`
+field is set to 1 and S-mode is supported, the Zicfiss extension is enabled in
+S-mode. If S-mode isn't supported but U-mode is, then with the SSE field set to
+1, the Zicfiss extension is enabled in U-mode.
 
-* Attempts to access the `ssp` CSR raise an illegal instruction exception.
-* The 32-bit Zicfiss instructions revert to their Zimop defined behavior.
-* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior.
-* The `pte.xwr=010b` encoding in S-stage page tables is reserved.
-* The `henvcfg.SSE` and `senvcfg.SSE` fields are read-only zero.
+When `SSE` field is 0, the following rules apply to privilege modes that are
+less than M:
+
+* Any attempt to access the `ssp` CSR will result in an illegal instruction
+  exception.
+* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop.
+* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop.
+* The `pte.xwr=010b` encoding in S-stage page tables becomes reserved.
+* The `henvcfg.SSE` and `senvcfg.SSE` fields will read as zero and are read-only.
 
 ==== Supervisor environment configuration registers (`senvcfg`)
 
@@ -102,14 +106,15 @@ rules apply to privilege modes less than M.
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfiss extension introduces the `SSE` field (bit 3) in `senvcfg`. When
-`SSE` field is 1, the Zicfiss extension is enabled in VU/U-mode. When `SSE`
-field is 0, the Zicfiss extension is not enabled in VS/U-mode and the following
-rules apply:
+Zicfiss extension introduces the `SSE` field (bit 3) in `senvcfg`. If the
+`SSE` field is set to 1, the Zicfiss extension is activated in VU/U-mode. When
+the `SSE` field is 0, the Zicfiss extension remains inactive in VS/U-mode, and
+the following rules apply:
 
-* Attempts to access the `ssp` CSR raise an illegal instruction exception.
-* The 32-bit Zicfiss instructions revert to their Zimop defined behavior.
-* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior.
+* Any attempts to access the `ssp` CSR will result in an illegal instruction
+  exception.
+* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop.
+* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop.
 
 ==== Hypervisor environment configuration registers (`henvcfg and henvcfgh`)
 
@@ -130,16 +135,17 @@ rules apply:
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfiss extension introduces the `SSE` field (bit 3) in `henvcfg`. When
-`SSE` field is 1, the Zicfiss extension is enabled in VS-mode. When `SSE`
-field is 0, the Zicfiss extension is not enabled in VS-mode and the following
-rules apply when `V=1`.
+Zicfiss extension introduces the `SSE` field (bit 3) in `henvcfg`. If the
+`SSE` field is set to 1, the Zicfiss extension is activated in VS-mode. When
+the `SSE` field is 0, the Zicfiss extension remains inactive in VS-mode, and
+the following rules apply when `V=1`:
 
-* Attempts to access the `ssp` CSR raise an illegal instruction exception.
-* The 32-bit Zicfiss instructions revert to their Zimop defined behavior.
-* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior.
-* The `pte.xwr=010b` encoding in VS-stage page tables is reserved.
-* The `senvcfg.SSE` field is read-only zero.
+* Any attempts to access the `ssp` CSR will result in an illegal instruction
+  exception.
+* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop.
+* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop.
+* The `pte.xwr=010b` encoding in VS-stage page tables becomes reserved.
+* The `senvcfg.SSE` field will read as zero and is read-only.
 
 ==== Shadow stack pointer (`ssp`)
 
@@ -175,10 +181,11 @@ are specified in <<PMP_SS>>.
 === Shadow-Stack-Enabled (SSE) state
 
 The term `xSSE` is used to determine if backward-edge CFI using shadow stacks
-provided by the Zicfiss extension is enabled at a privilege mode and it is
-determined as follows:
+provided by the Zicfiss extension is enabled at a privilege mode.
+
+When S-mode is supported, it is determined as follows:
 
-.`xSSE` determination
+.`xSSE` determination when S-mode is supported
 [width=100%]
 [%header, cols="^4,^12"]
 |===
@@ -189,6 +196,17 @@ determined as follows:
 |  U or VU     | `senvcfg.SSE`
 |===
 
+When S-mode is not supported, it is determined as follows:
+
+.`xSSE` determination when S-mode is not supported
+[width=100%]
+[%header, cols="^4,^12"]
+|===
+|Privilege Mode| xSSE
+|  M           | `1`
+|  U           | `menvcfg.SSE`
+|===
+
 [NOTE]
 ====
 Activating Zicfiss in U-mode must be done explicitly per process. Not activating

diff --git a/cfi_forward.adoc b/cfi_forward.adoc
@@ -127,14 +127,19 @@ This chapter specifies the CSR state of the Zicfilp extension.
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfilp extension introduces the `LPE` field (bit 2) in `menvcfg`. When
-`LPE` field is 1, the Zicfilp extension is enabled in S-mode. When `LPE`
-field is 0, the Zicfilp extension is not enabled in S-mode and the following
-rules apply to S-mode:
+Zicfilp extension introduces the `LPE` field (bit 2) in `menvcfg`. When the
+`LPE` field is set to 1 and S-mode is supported, the Zicfilp extension is
+enabled in S-mode. If `LPE` field is set to 1 and S-mode is not supported, the
+Zicfilp extension is enabled in U-mode.
 
-* The hart does not update the expected landing pad (`ELP`) state and the `ELP`
-  state is always `NO_LP_EXPECTED`.
-* The `lpad` instruction executes as a no-op.
+When `LPE` field is 0, the Zicfilp extension is not enabled in S-mode, and the
+following rules apply to S-mode:
+
+* The hart does not update the expected landing pad (`ELP`) state, and the `ELP`
+  state remains `NO_LP_EXPECTED`.
+* The `lpad` instruction operates as a no-op.
+
+If the `LPE` field is 0 and S-mode is not supported, these rules apply to U-mode.
 
 ==== Supervisor environment configuration registers (`senvcfg`)
 
@@ -153,14 +158,14 @@ rules apply to S-mode:
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfilp extension introduces the `LPE` field (bit 2) in `senvcfg`. When
-`LPE` field is 1, the Zicfilp extension is enabled in VU/U-mode. When `LPE`
-field is 0, the Zicfilp extension is not enabled in VU/U-mode and the
+Zicfilp extension introduces the `LPE` field (bit 2) in `senvcfg`. When the
+`LPE` field is set to 1, the Zicfilp extension is enabled in VU/U-mode. When the
+`LPE` field is 0, the Zicfilp extension is not enabled in VU/U-mode and the
 following rules apply to VU/U-mode:
 
 * The hart does not update the expected landing pad (`ELP`) state and the `ELP`
-  state is always `NO_LP_EXPECTED`.
-* The `lpad` instruction executes as a no-op.
+  state remains `NO_LP_EXPECTED`.
+* The `lpad` instruction operates as a no-op.
 
 ==== Hypervisor environment configuration registers (`henvcfg and henvcfgh`)
 
@@ -182,14 +187,14 @@ following rules apply to VU/U-mode:
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Zicfilp extension introduces the `LPE` field (bit 2) in `henvcfg`. When
-`LPE` field is 1, the Zicfilp extension is enabled in VS-mode. When `LPE`
+Zicfilp extension introduces the `LPE` field (bit 2) in `henvcfg`. When the
+`LPE` field is set to 1, the Zicfilp extension is enabled in VS-mode. When `LPE`
 field is 0, the Zicfilp extension is not enabled in VS-mode and the following
 rules apply to VS-mode:
 
 * The hart does not update the expected landing pad (`ELP`) state and the `ELP`
-  state is always `NO_LP_EXPECTED`.
-* The `lpad` instruction executes as a no-op.
+  state remains `NO_LP_EXPECTED`.
+* The `lpad` instruction operates as a no-op.
 
 ==== Machine status registers (`mstatus`)
 
@@ -265,7 +270,7 @@ fields that hold the previous `ELP`, and are updated as specified in
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-Access to the `SPELP` field introducecd by Zicfilp accesses the homonymous
+Access to the `SPELP` field introduced by Zicfilp accesses the homonymous
 fields of `mstatus` when `V=0` and the homonymous fields of `vsstatus`
 when `V=1`.
 
@@ -298,7 +303,7 @@ when `V=1`.
 ], config:{lanes: 4, hspace:1024}}
 ....
 
-The Zicfilp extension introduces the `SPELP` (bit 23) field that hold the
+The Zicfilp extension introduces the `SPELP` (bit 23) field that holds the
 previous `ELP`, and is updated as specified in <<FORWARD_TRAPS>>.
 The `SPELP` field is encoded as follows:
 
@@ -328,8 +333,8 @@ is 0, the Zicfilp extension is not enabled in M-mode and the following rules
 apply to M-mode.
 
 * The hart does not update the expected landing pad (`ELP`) state and the `ELP`
-  state is always `NO_LP_EXPECTED`.
-* The `lpad` instruction executes as a no-op.
+  state remains `NO_LP_EXPECTED`.
+* The `lpad` instruction operates as a no-op.
 
 ==== Debug Control and Status (`dcsr`)
 
@@ -369,10 +374,11 @@ holds the previous `ELP`, and is updated as specified in <<FORWARD_TRAPS>>. The
 === Landing-Pad-Enabled (LPE) state
 
 The term `xLPE` is used to determine if forward-edge CFI using landing pads
-provided by the Zicfilp extension is enabled at a privilege mode and it is
-determined as follows:
+provided by the Zicfilp extension is enabled at a privilege mode.
 
-.`xLPE` determination
+When S-mode is supported, it is determined as follows:
+
+.`xLPE` determination when S-mode is supported
 [width=100%]
 [%header, cols="^4,^12"]
 |===
@@ -383,6 +389,17 @@ determined as follows:
 |  U or VU     | `senvcfg.LPE`
 |===
 
+When S-mode is not supported, it is determined as follows:
+
+.`xLPE` determination when S-mode is not supported
+[width=100%]
+[%header, cols="^4,^12"]
+|===
+|Privilege Mode| xLPE
+|  M           | `mseccfg.MLPE`
+|  U           | `menvcfg.LPE`
+|===
+
 [NOTE]
 ====
 The Zicfilp must be explicitly enabled for use at each privilege mode.

diff --git a/cfi_intro.adoc b/cfi_intro.adoc
@@ -112,8 +112,9 @@ An application that has the Zicfiss extension active may request the dynamic
 loader at runtime to load a new dynamic shared object (using dlopen() for
 example). If the requested object does not have the Zicfiss attribute then
 the dynamic loader, based on its policy (e.g, established by the operating
-system or the administrator) configuration, either fail the request or
-deactivate the Zicfiss extension for the application.
+system or the administrator) configuration, either deny the request or
+deactivate the Zicfiss extension for the application. It is recommended that
+the policy enforces a strict security posture and denies the request.
 
 When the Zicfiss extension is not active or not implemented, the Zicfiss
 instructions revert to their Zimop/Zcmop defined behavior. This allows a